Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection
The growing complexity of modern malware drives security applications to leverage Virtual Machine Introspection (VMI), which provides a complete and untainted view over the Virtual Machine state. To benefit from this ability, a VMI-aware Virtual Machine Monitor (VMM) must be set up in advance underneath the target system; a constraint for the massive application of VMI. In this paper, we present WhiteRabbit, a VMI framework comprising a microkernel-based VMM that transparently virtualizes a running Operating System, on-the-fly, for the purpose of forensic analysis. As a result, the systems to be analyzed do not have to be explicitly set up for VMI a priori. After its deployment, our framework exposes VMI services for remote applications: WhiteRabbit implements a LibVMI interface that enables it to be engaged by popular VMI applications remotely. Our prototype employs Intel as well as ARM virtualization extensions to take over control of a running Linux system. WhiteRabbit’s on-the-fly capability and limited virtualization overhead constitute an effective solution for malware detection and analysis.
Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection
Authors: | Sergej Proskurin, Julian Kirsch, and Apostolis Zarras |
Year/month: | 2018/9 |
Booktitle: | IFIP International Conference on ICT Systems Security and Privacy Protection (IFIP SEC) |
Note: | Ranked 3rd |
Fulltext: | 2018-ifipsec-whiterabbit.pdf |
Abstract |
|
The growing complexity of modern malware drives security applications to leverage Virtual Machine Introspection (VMI), which provides a complete and untainted view over the Virtual Machine state. To benefit from this ability, a VMI-aware Virtual Machine Monitor (VMM) must be set up in advance underneath the target system; a constraint for the massive application of VMI. In this paper, we present WhiteRabbit, a VMI framework comprising a microkernel-based VMM that transparently virtualizes a running Operating System, on-the-fly, for the purpose of forensic analysis. As a result, the systems to be analyzed do not have to be explicitly set up for VMI a priori. After its deployment, our framework exposes VMI services for remote applications: WhiteRabbit implements a LibVMI interface that enables it to be engaged by popular VMI applications remotely. Our prototype employs Intel as well as ARM virtualization extensions to take over control of a running Linux system. WhiteRabbit’s on-the-fly capability and limited virtualization overhead constitute an effective solution for malware detection and analysis. |
Bibtex:
@conference {author = { Sergej Proskurin and Julian Kirsch and Apostolis Zarras },
title = { Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection },
year = { 2018 },
month = { September },
booktitle = { IFIP International Conference on ICT Systems Security and Privacy Protection (IFIP SEC) },
note = { Ranked 3rd },
url = {https://www.sec.in.tum.de/i20/publications/follow-the-whiterabbit-towards-consolidation-of-on-the-fly-virtualization-and-virtual-machine-introspection/@@download/file/2018-ifipsec-whiterabbit.pdf}
}